[throwaway_391]

Most / all software has a disclosure policy, send your vulns privately and provide/negotiate a public disclosure date.

Not doing so is an asshole move.

In this case, the solution would be to track down distributions which did not package the software and (privately) disclose to them that the relevant lib needs updating.

[ryanlol]

>Not doing so is an asshole move.

Dictating how researchers should choose to publish their work product is an asshole move.

If someone chooses to share their work product with you privately, that's very charitable of them. It's not reasonable to expect charity.

[effie]

Everybody, including researchers, has a duty to publish things responsibly and if necessary, withhold the publication. Despite the economical incentives, the moral responsibility is to research and harden systems, not to publish whatever and build a resume.

You can't just publish information harmful to public and say "well I'm a researcher, so I can do anything I want". Publishing instructions to bypass important security restrictions that people rely on is often harmful and may be even illegal in some countries, for good reason - to protect the people.

[ryanlol]

Does this universal duty to work for free only concern security research?

>You can't just publish information harmful to public

It’s simply ridiculous to describe full disclosure like that.

[throwaway_391]

I've heard some interesting arguments about publicly dropping 0days to make organisations pull their heads in - Places like Microsoft which historically weren't -great- at security 'deserved' it. I'm not saying that argument is right or wrong, but it was interesting nonetheless.

But dropping a 0day irresponsibly can lead to actual impact - what happens if a good person is persecuted, or executed because of the information you disclosed publicly? What about a hundred. Or a thousand?

[effie]

I did not say duty to work for free, but duty to observe some restrictions and weighing positive/negative impacts of your publications on society if you choose to work in that domain.

[ryanlol]

Publicly dropping a bug is still better for the public than keeping it secret. Full disclosure is charity.

[BiosElement]

No, it's called Responsible disclosure. https://security.stackexchange.com/questions/52/how-to-discl...

By not contacting the developer first, you're acting in bad faith. This opens you up to all kinds of legal liabilities, not to mention the social exclusion that will occur.

[ryanlol]

Nonsense. “Responsible disclosure” is a term coined by vendors to shame researchers who don’t play ball.

There’s no implicit “bad faith” in full disclosure or even the sale of weaponized 0day exploits.

[effie]

Oh this trope again. I am no vendor and I fully support the idea that security researchers coordinate their publication activities with affected parties.

[ryanlol]

Great, me too. But I also fully support the idea that people should be allowed to do whatever the fuck they want with their work product. (within the limits of the law, of course)

Charity is nice, but I’m not going to insist that you donate your whole paycheck!

[Majromax]

> I also fully support the idea that people should be allowed to do whatever the fuck they want with their work product. (within the limits of the law, of course)

Do you want ham-fisted regulations? Because that's how you get ham-fisted regulations.

Lawmakers analogize. All it takes is for some bright representative to think that "vulnerability disclosures" are more akin to "burglary tools" than to public service announcements to justify criminalizing third-party security research (or the resulting disclosures).

[jakear]

by choosing to disclose publicly rather than privately, they’re willfully giving (in their minds) a RCE on every VLC installation to whomever reads the bug logs. I think most people would agree that’s not right.